Imagine360

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

Imagine360, a Pennsylvania-based provider of self-funded health plan solutions, experienced a significant data breach due to third-party vulnerabilities. The breach, disclosed in January 2023, affected over 112,000 individuals. The incident involved unauthorized access to Imagine360’s Citrix file-sharing platform, leading to the exposure of sensitive information, including Social Security numbers and personal health information (PHI)[1][3].

The breach was part of a larger cybersecurity incident involving Fortra’s GoAnywhere managed file transfer solution, where an unauthorized actor exploited a zero-day vulnerability to copy data from multiple organizations, including Imagine360. This incident was identified around February 3, 2023, shortly after the initial discovery of the Citrix platform breach[1].

Imagine360 took immediate steps to mitigate the breach’s impact, including terminating platform access, resetting passwords, and enhancing security measures. Despite these efforts, the breach exposed names, medical and health insurance information, and Social Security numbers. The company has since suspended the use of Fortra’s platform and implemented additional safeguards[1][3].

In response to the breach, Imagine360 reported the incidents to federal law enforcement and began notifying affected individuals. The company also offered identity theft protection services through IDX to those impacted[8].

The breach has attracted legal attention, with firms like Lynch Carpenter LLP investigating claims against Imagine360 related to the data breach[10]. This incident underscores the challenges organizations face in securing third-party platforms and the importance of robust cybersecurity measures to protect sensitive information.

Citations:

  1. https://healthitsecurity.com/news/imagine360-suffers-third-party-data-breach-112k-impacted
  2. https://www.multiplan.us
  3. https://www.hipaajournal.com/imagine360-suffers-breaches-of-two-file-sharing-platforms/
  4. https://www.imagine360.com
  5. https://www.jdsupra.com/legalnews/imagine360-llc-notifies-over-125k-7788168/
  6. https://www.paubox.com/news/imagine360-reports-large-data-breach
  7. https://cybernews.com/security/imagine360-data-breach/
  8. https://www.doj.nh.gov/consumer/security-breaches/documents/imagine360-20230721.pdf
  9. https://www.scmagazine.com/brief/imagine360-others-impacted-by-separate-third-party-data-breaches
  10. https://lynchcarpenter.com/news/lynch-carpenter-llp-investigates-claims-in-imagine360-llc-data-breach/
Breach Submission Date Jun 30, 2023
Converted Entity Name Imagine360
Converted Entity Type Business Associate
State PA
Individuals Affected 132,807
Breach Type Unauthorized Access/Disclosure

Breach Information Location Network Server

Business Associate Present Yes